Mobile Enterprise CIO Q&A - BYOD Policies
By Pat Brans
Our Kids of Miami-Dade/Monroe, Inc. is an organization whose mission is beyond reproach. They oversee care to abused and abandoned children in Miami-Dade and Monroe counties. Part of their job is making sure at-risk children grow up in safe, permanent families; and to do this, Our Kids sends agents to foster homes to take a look at what's really going on. Mobile applications help.
Before visits, case workers view subject history on a handheld. During visits, they take pictures of the kids and stamp the images with date, time, and location obtained from the handset's GPS sub-system. After visits, agents take notes, which are then transmitted from the mobile device to a central database.
In the past Our Kids did all this with BlackBerry devices and Panasonic laptops. Now they are making the same applications available on iPads; and it is precisely this transition that has opened Pat Smith's eyes to the possibilities of allowing a bring your own device (BYOD) policy.
Mobile Enterprise Magazine: So Pat, what are the advantages of BYOD for the employee, for the IT department and for the company as a whole?
Pat Smith: Employees love it. We are fielding more and more requests to support personal phones, mostly iPhones. In addition, executives want to connect their iPads to our network. Most of the IT staff was already using Apple products, so we are already familiar with those platforms.
Now that Mobile Device Management (MDM) vendors can offer the same security as Research in Motion's BlackBerry Enterprise Server platform, attaching these devices to our network is no longer as big a security concern for us. We really don't see BYOD as less work for the IT department. However, our user base is thrilled at having a choice in the device they carry. IT should facilitate access to critical information wherever possible, and look for opportunities to provide a seamless user experience.
Whenever employees are happy, the company benefits.
ME: How do you decide who gets to bring his or her personal device and who doesn't?
PS: Our policy has always been that any employee who needs data or voice communication services away from the office, or after work hours, gets a BlackBerry. We'll certainly apply that rule in deciding who gets support for bringing their devices in.
That said we haven't yet completely worked this out. However, we do know that we will not support Android, because of the security risks. Since I'm building new applications for iPad and having existing applications ported to iPad, it's simple to provide support for all iOS devices. I don't want to have to support every platform, so we aren't going to take action to overcome our security concerns on Android. We'll just put those devices aside for the time being.
Another thing we know is that we will require that all devices be "certified" up-front before they attach to the network.
ME: How much support do you think IT should provide for employee-liable devices?
PS: We plan to offer complete support for any work applications and "guidance" for any employee installed applications. Work applications include VPN and email clients. Anything we provide them for their job we'll of course support. If they bring other software, we'll provide guidance, but not full-blown IT support.
ME: When employees come in with their own devices and wireless data plans, how do you reimburse them for communication expenses and how do you put a cap on that cost?
PS: We offer our users a monthly stipend if their supervisor has authorized network access. The monthly allowance is based on averages taken from what we have been paying to support employee-use of BlackBerry devices.
Employees get this allowance once they sign off on the new policy, which states that we have the right to wipe the entire device if there is inappropriate use or loss or theft - I can't stress enough how important this is. There are also criteria under which we will perform a partial device wipe. For example, when somebody leaves the company, we'll just remove company data and applications.
The electronic communications policy also allows IT to establish identity, monitor use, and penalize employees for inappropriate use. And we clearly define what we mean by inappropriate use.
There are no two ways around the fact that even though the device belongs to the employee, part of the information on it belongs to the company.
ME: Have you set up ways of encouraging BYOD users to get on the same wireless data network plan as the enterprise? Why or why not?
PS: We expect most will use the same network because of the discount we can offer to staff. From our point of view the extra volume doesn't make a financial difference, because we will be providing a dollar amount to each qualified employee. It's up to the employee to figure out what that means in terms of minutes and data volume.
However, the IT department does prefer that everybody use the same network plan, because it makes it easier for us to provide support. I can go to the same carrier that I already know well and be able to easily troubleshoot.
ME: What security risks do you think are brought on by BYOD, and what tips do you have on mitigating those risks?
PS: Roughly 80 percent of my users aren't officially employees. They are external contractors, which makes my security policy crucial. And we are a HIPAA and FERPA compliant organization so we must observe strict data security policies. The combination of these two realities might seem like a roadblock to BYOD - and without a proactive security and management stance from our end, BYOD wouldn't be do-able. Without a strong MDM platform, and a strong electronic communications policy, we simply could not offer BYOD.
However, since we can and do provide all the necessary security functions through such platforms and since we are fully able to meet our compliance requirements, I feel comfortable that BYOD will serve us well. We already have a lot of secure data on BlackBerry devices and laptops. We encrypt this data, and this is something we'll continue to do on all the devices we plan to support thanks to the MDM systems we're utilizing. BYOD works. Yes, it takes some effort, but the tradeoff makes us a better organization. It's a fair trade.